ServiceNow User Request Integration

Integrate Privilege Management with ServiceNow to manage user requests. In a typical Privilege Management scenario, the end user tries to launch an application that requires elevated privileges or falls outside of existing policy rules. With this integration, the user sends a request to run the application from PM Cloud to their existing ServiceNow instance as a ticket.

The following ServiceNow ticket types are supported in the PM Cloud integration: Incident, Change Request, and Service Catalog.

End user message example for a ServiceNow integration with PMC.

The screen capture shown here is an example of how the messages appear for the end user in a ServiceNow integration. Similar to other application rules in Privilege Management, the user can select from a list of reasons for the request, or use free-form text.

 

Configuration includes:

  • Download the BeyondTrust Privilege Management app from the ServiceNow store.
  • Register Privilege Management as an OAuth client in ServiceNow.
  • Create a user account in ServiceNow.
  • Configure the connection details to PMC in ServiceNow.
  • Activate and create a connection to ServiceNow in PMC.
  • Create an application rule in the Policy Editor and apply messages to the rule that are specific to ServiceNow authorization.

Download and Install the Privilege Management App

  1. Go to the ServiceNow Store.
  2. Search for BeyondTrust. The search displays all BeyondTrust products that integrate with ServiceNow.
  3. Find the BeyondTrust Privilege Management Integration app.
  4. Download and install the app into your ServiceNow tenant.

 

Create an OAuth Client for PMC

Application Registries - BeyondTrust PM Oauth Application Registry

PMC must be added as an OAuth client in ServiceNow.

  1. In ServiceNow, go to Application Registry.
  1. Configure the settings as shown. The Client ID, which is automatically generated, is required when setting up the connection in PMC.

 

Create a User Account in ServiceNow

When setting up the user account, the x_bmgr_pmc.api role is required.

Add a user account in ServiceNow for PMC integration.

  1. Go to User Administration > Users.
  2. Enter the user account information. The user account is required as part of the configuration in PMC.

 

 

Configure the Connection to PMC in ServiceNow

A Privilege Management instance is required for full operation. The appliance is setup in ServiceNow to connect ServiceNow with a PMC instance.

Configure PMC in ServiceNow

  1. Go to BeyondTrust Privilege Management > Configuration.
  2. To turn on the integration to PMC, select Yes.
  3. To configure the outbound integration, enter the following:
    • PMC Tenant ID: The tenant ID of the Privilege Management appliance.
    • PMC Client ID: The OAuth client ID that is used to authenticate to the Privilege Management appliance.
    • PMC Client Secret: The OAuth client secret that is used to authenticate to the Privilege Management appliance.
    • PMC Service Host Name: The hostname of the Privilege Management appliance.

 

  1. To configure the application defaults (optional), enter the following:
    • Default Category for Task: The default category for tasks created by the application. The default is Software.
    • Default Short Description for Task:The default short description for task created by the application. The default is PMC Authorization Request.
    • Active States for Change Request: A comma-separated list of states in which the integration actions are available to users. This list is for change requests only.
    • Active States for Incident: A comma-separated list of states in which the integration actions are available to users. This list is for incidents only.
    • Default Service Catalog Item Name: A default catalog name for PMC.
  1. Click Save.

Configure the ServiceNow Integration in PMC

ServiceNow configuration in PMC

  1. Go to Configuration > Authorization Request Settings.
  2. To activate the integration, select Enable Authorization Request Integration.
  3. Under ServiceNow Configuration, enter the following:
    • Host name: The host name provided on the Configuration page in ServiceNow.
    • Username and Password: Enter the user account information you created in ServiceNow.
    • Client ID: The ID generated in ServiceNow available on the Configuration page.
    • Client Secret: The secret created on the Configuration page in ServiceNow.
    • Task Type: Select a ServiceNow task type from the list: Incident, Change Request, or Service Catalog Request.
  1. Under Notification API Configuration Details, the Tenant ID and Host Name are auto-generated.
  2. To create the Client ID and Client Secret used by the Integration in ServiceNow, click the Generate button.
  3. To confirm the connection, click Validate Settings.
  4. Click Save Changes.

Testing the Configuration

The ServiceNow Connection Test Tool verifies connectivity to the Privilege Management host. It tests the Client ID and Client Secret.

ServiceNow Connection Test Tool screen

  1. Go to BeyondTrustPrivilege Management > Connection Test Tool.
  2. Click Test.

 

Restrict Access to Applications

In the ServiceNow authorization request workflow, you can restrict access to application requests. On an approved request, Help Desk can set a time limit in the ServiceNow ticket. The time limit is the length of time the user can use the application before the approval automatically expires.

Under the Application, Policy, or Decision tab, select a Duration.

ServiceNow Duration settings for PM Cloud tickets

Access time limit can be one of the following:

  • Once: Permits access to the application only one time.
  • Hour: Enter the number of hours the user will be permitted access, between 1 and 24.
  • Day: Enter a day between 1 and 31.
  • Forever: Access to the application never expires.

Click Approve.

 

ServiceNow and PM Cloud authorization request workflow with duration set

After the time expires, the user can no longer access that application. The user must go through the request workflow again, with the Help Desk personnel approving and selecting a duration time for access.

Duration settings are included in the authorization auditing.

 

End user messaging for the ServiceNow user request ticket process.

When using the duration settings to restrict access, a message displays to the end user indicating the request must be approved on the ticket in ServiceNow.

To proceed with the authorization, the user must select a reason from the list, then click Request.

 

ServiceNow pending message on ticket approvals for application access.

A pending message displays to the end user until a decision on their request is made in ServiceNow.

To view the status on their ServiceNow ticket, the end user can click the request reference link.

 

Use Service Catalog as the Task Type

You must configure the following if your ServiceNow infrastructure uses Service Catalog to manage user requests.

Select Service Catalog Request as the Task Type in PM Cloud.

  • In PMC, select Service Catalog Request as the Task Type on the Authorization Request Settings page.

 

Create a ServiceNow catalog item for PM Cloud.

  • In ServiceNow, you must add PMC as a Catalog item.
  • Specific details on configuring the catalog item depend on your Service Catalog implementation.